Problem Description:
I am supporting an application that recently upgraded to ColdFusion 2018. Since the upgrade we are seeing intermittent but regular errors being thrown by the cflogin tag.
The exception dumped by ColdFusion is "Authentication has failed. Please check the logs for more details.s"
Looking at the exception logs in CF Admin shows the following exception:
"Error","ajp-nio-8018-exec-12","07/30/18","20:09:53","","'' Can not decode string ""C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs===="". The input string is not base64-encoded."
coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "C59C17FB2B9F91BC_ODGvJ cMMwzj9RhNvDJcNk5pl6a5Zokmb8o6PlR13cs====".
at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131)
at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493)
at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380)
at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397)
at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358)
When this error occurs the user will get locked into the invalid cookie and will receive an error until they clear their cookies or until their session times out.
We have tracked this down to being an issue with the cookie that the cflogin tag is using to handle the authentication.
Here is the format of the valid cookie:
CFAuthentication_[application_name]: NDAzNTA3DUFtYmFzc2Fkb3JTdHVkaW8NMTUzMjk5OTgzNjA3Mg1GN0VCMTUxRDI0QThDNjU2
Here is the format of the cookie when the error occurs:
CFAuthentication_[application_name]: F310D1CF19C29009_HouwFInO5M0RChopPY0eiBDypCUa8/XuqIBwNNWKji0=
Steps to Reproduce:
We are not able to accurately reproduce this. It seems to happen after a short period of inactivity, but this doesn't seem consistent and may be coincidence. We have accurately tracked that both formats are occurring for the cookie and that the second format results in failure of cflogin.
Actual Result:
User gets assigned an invalid CFAuthorization_ token and the cflogin fails to work.
Expected Result:
User gets and maintains a valid CFAuthorization_ token that will work with the cflogin tag.
Any Workarounds:
We are able to catch the exception when it occurs and force a logout. This clears the invalid cookie and the user is assigned a valid cookie upon logging in. This does not seem to permanently fix it for that user, however.

Attachments:

Comments:

Hi Chris,
Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue.
Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin.
Thanks!

Hi Chris,
Could you please share the code snippet with us, so that we can check if we can repro this intermitent issue.
Also, do share with us any setting that you have done wrt cookies in Application.cfc/Admin.
Thanks!

Yes running into this problem as well on CF2018. App runs fine on CF11.
"Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","Incompatible login information was specified."
"Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded."
"Error","ajp-nio-8018-exec-10","12/14/18","02:29:37","","'' Can not decode string ""B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE===="". The input string is not base64-encoded."
coldfusion.wddx.Base64Encoder$InvalidEncodedStringException: '' Can not decode string "B7055C001F34A6FA_hAxiG5yO2BfieIz45yLMIwB0Tyg4LI6VhA3LhnU0uPE====".
at coldfusion.wddx.Base64Encoder.decode(Base64Encoder.java:131)
at coldfusion.security.SecurityManager.decodeBase64(SecurityManager.java:3493)
at coldfusion.security.SecurityManager.parseAuthInfo(SecurityManager.java:3380)
at coldfusion.tagext.security.AuthenticateTag.parseAuthUpdate(AuthenticateTag.java:397)
at coldfusion.tagext.security.AuthenticateTag.doStartTag(AuthenticateTag.java:358)
at cfApplication2ecfm1944489541._factor5(D:\abc\Application.cfm:44)
at cfApplication2ecfm1944489541._factor8(D:\abc\Application.cfm:43)
at cfApplication2ecfm1944489541._factor9(D:\abc\Application.cfm:1)
at cfApplication2ecfm1944489541.runPage(D:\abc\Application.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262)
at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:4082)
at cfApplication2ecfm2078254534.runPage(D:\Home\RepoHawk-Nexus\admin\accounts\Application.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262)
at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:729)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:421)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:162)
at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
at coldfusion.CfmServlet.service(CfmServlet.java:226)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:422)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:844)

Hi Adobe,
Decoding the Base64 auth info produces 4 lines of text. Example:
-----------
myUsername
myAppName
1544913669249
B21A210A127191FE
-----------
I see the 3rd line (i.e. 1544913669249) is the milliseconds after epoch since cflogin ran. Okay.
Question: How exactly is the last line (i.e. B21A210A127191FE) generated? I see its value changes after re-login, even with same password.
Question: Where is this auth info format documented? If it isn't documented, can it be?
Thanks!,
-Aaron